Yes it is possible but if the guest OS is installed in a TC container they need a backdoor also in TC before they are able to have access to the guest OS, and atm i dont think TC has backdoors, even if in these weeks some users are investigating about that

Just like the title says. Is it possible that NSA is simply bypassing Tor or VPN by having a backdoor in VMs?

Click to expand...

When you say 'VMs' are you referring specifically to operating systems hosted using VMware or are you referring to virtualisation generally, even using opensource software to host the operating systems?

Is it possible that NSA is simply bypassing Tor or VPN by having a backdoor in VMs?

Click to expand...

Generally, yes, a backdoor is possible in any kind of software. But you have to ask yourself why would NSA backdoor VM software? What possible advantage would that give them? (and I don't think that just the fact that you and a few other people are using TOR inside VM is reason enough for NSA to backdoor the VM...).

Also, I think that even if they have a backdoor in the VM software, depending on your setup, they will not be able to bypass TOR.

That's how the theory goes... But consider for a bit how hard it would be for a single individual to "review" the source code for VirtualBox, even with a solid computer programmer background. The part about compiling it yourself is a bit easier, but it still requires a lot of skill.

That's how the theory goes... But consider for a bit how hard it would be for a single individual to "review" the source code for VirtualBox, even with a solid computer programmer background. The part about compiling it yourself is a bit easier, but it still requires a lot of skill.

Click to expand...

It's unlikely for a single person to review the source, but it's entirely possible to organize an effort similar to istruecryptauditedyet.com.

Oracle is a terrible company, but if they wanted to include backdoors in VirtualBox, they would've closed the source a long time ago. Why would they spend time implementing a backdoor in open-source software that, if ever detected, would pretty much lead to everyone abandoning the software en masse? Leaving it open allows potentially thousands of individuals to comb through different areas of the source as they look for bugs and compile it on their own. There are too many eyes on it for me to buy into the notion of backdoors being likely. Yes, it's still possible. Anything is possible if you want to speak in technicalities. But the NSA's time would be better served using any of the other countless attack vectors at their disposal.

And despite how terrible Oracle is as a company, therein lies the secret behind Virtualbox. It is open source software. Some group of coders would have found backdoors if they existed you can feel confidant on that.

Reith said:

It's unlikely for a single person to review the source, but it's entirely possible to organize an effort similar to istruecryptauditedyet.com.

Oracle is a terrible company, but if they wanted to include backdoors in VirtualBox, they would've closed the source a long time ago. Why would they spend time implementing a backdoor in open-source software that, if ever detected, would pretty much lead to everyone abandoning the software en masse? Leaving it open allows potentially thousands of individuals to comb through different areas of the source as they look for bugs and compile it on their own. There are too many eyes on it for me to buy into the notion of backdoors being likely. Yes, it's still possible. Anything is possible if you want to speak in technicalities. But the NSA's time would be better served using any of the other countless attack vectors at their disposal.

And despite how terrible Oracle is as a company, therein lies the secret behind Virtualbox. It is open source software. Some group of coders would have found backdoors if they existed you can feel confidant on that.

Click to expand...

I don't think people should be overly confident, depending on their security needs. It's not unheard of that security bugs go unnoticed in open source software for long periods of time. I think I even heard of one occasion of a bug being discovered that had been around for years unnoticed.

So the ideal and principle of open source software is that the code is being reviewed by competent and trustworthy people. But I think the real world reality is messier. There are lots of lines of code out there. It takes time for humans to review the code. People make mistakes. People aren't looking at every line of code all the time.

So yes, open source is a much better option and more trusthworthy than closed source. But it's not a magic bullet.

I don't think people should be overly confident, depending on their security needs. It's not unheard of that security bugs go unnoticed in open source software for long periods of time. I think I even heard of one occasion of a bug being discovered that had been around for years unnoticed.

So the ideal and principle of open source software is that the code is being reviewed by competent and trustworthy people. But I think the real world reality is messier. There are lots of lines of code out there. It takes time for humans to review the code. People make mistakes. People aren't looking at every line of code all the time.

So yes, open source is a much better option and more trusthworthy than closed source. But it's not a magic bullet.